dienstag 30 nov 10 all your baseband are
play

Dienstag 30. Nov. 10 [] All Your Baseband Are over-the-air - PowerPoint PPT Presentation

Feb 27, 2024 •429 likes •901 views

Dienstag 30. Nov. 10 [] All Your Baseband Are over-the-air exploitation of memory corruptions in GSM software Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology & Computer Security University of Luxembourg

  1. Dienstag 30. Nov. 10 []

  2. All Your Baseband Are over-the-air exploitation of memory corruptions in GSM software Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology & Computer Security University of Luxembourg https://cryptolux.org Dienstag 30. Nov. 10 []

  3. Outline  GSM / Smartphone basics  Baseband software (in)security  How to find bugs  Practicality of exploitation  Scenarios for the “baseband apocalypse”  Disclosure, outlook & conclusions Dienstag 30. Nov. 10 []

  4. Part I: GSM and smartphone basics Dienstag 30. Nov. 10 []

  5. Lay of the GSM/UMTS land MS links to (Mobile outside world Station) [BSCs, VLR, HLR/AUC, SS7] Um (air) interface BTS (base transceiver station) [Usually located at cell tower] Dienstag 30. Nov. 10 []

  6. Layers of the GSM Um Connection Management (MM) Layer 3 Mobility Management (MM) Radio Resource (RR) LAPDm (Layer 2) Layer 1 Dienstag 30. Nov. 10 []

  7. Smartphones • Somewhen in the late 20 th century, PDAs and cellular phones merged • Result: smartphones • Have driven PDAs into extinction • Usually a multi-CPU architecture: application processor (APP) and baseband (BB) processor • In 99% of all cases, ARM CPUs used for both • Trend: single-chip APP/BB (for cost Dienstag 30. Nov. 10 []

  8. Dominant Smartphone archs vs. Application Application Processor RAM Processor (slave) Serial communication RAM or shared memory Digital Baseband Processor Digital Baseband RAM (master) Processor Dienstag 30. Nov. 10 []

  9. Let’s do some quick market research before we dive into the technical details... Dienstag 30. Nov. 10 []

  10. Baseband market shares 3Q2009 Qualcomm Mediatek Texas Instruments ST-Ericsson Infineon Broadcom Freescale Other Source: Strategy Analytics Cellular Baseband Suppliers & their 3Q’ 09 shipment share) Dienstag 30. Nov. 10 []

  11. Part II: Baseband (in)security Dienstag 30. Nov. 10 []

  12. Baseband (in)security • Code base created in the 1990s… • … with a 1990s attitude towards security • Network elements are considered trusted • Both GSM and UMTS protocols have many, many length fields • (Almost) no exploit mitigations [one counter-example: XMM6180 on iPhone4 has hardware DEP enabled] Dienstag 30. Nov. 10 []

  13. I know you forgot what the GSM protocol stack looks like, so let’s see it once more before we proceed. Dienstag 30. Nov. 10 []

  14. Layers of the GSM Um Connection Management (MM) Layer 3 Mobility Management (MM) Radio Resource (RR) LAPDm (Layer 2) Layer 1 Dienstag 30. Nov. 10 []

  15. Where to look for bugs • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 di fg erent Dienstag 30. Nov. 10 []

  16. Where to look for bugs • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 di fg erent Dienstag 30. Nov. 10 []

  17. Where to look for bugs Things get interesting • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 di fg erent Dienstag 30. Nov. 10 []

  18. Initial Targets Image credit: Yutaka Tsutano Image credit: Jose A. Gelado Apple iPhones HTC Dream [G1] (Infineon (Qualcomm baseband) baseband) Dienstag 30. Nov. 10 []

  19. How were the bugs found? • Fuzzing was not successful – Lots of crashes, but no easy way to triage • Static analysis • No source code publicly available – exception: TSM30 src was available for some years • Conclusion: reverse-engineer binaries Dienstag 30. Nov. 10 []

  20. How do we start? • Firmware updates often contain baseband firmware as well • Packed multiple times, need to extract • Tools for iPhone and HTC phones to do that • Qualcomm firmwares: ELF files • Infineon needs custom loaders/relocator • Later: ability to dump memory/MMU 17 Dienstag 30. Nov. 10 []

  21. Reverse-engineering • Bootstrap: use BinDi fg to port symbols from known libraries (i.e. compiler runtimes) • Identify functions that do memory transfers using REIL and BinNavi • Lots of strings and assertions (!) in firmwares • Often: clean-cut regions for RR/MM/AT command parser in binary 18 Dienstag 30. Nov. 10 []

  22. More reversing • Identified functions handling GSM frames – Problem: apparently di fg erent tasks – Assertions/logging functions very helpful 19 Dienstag 30. Nov. 10 []

  23. Types of bugs found • Many, many unchecked memory copies (can be found in binary once memcpy() et al. identified) • Object/structure lifecycle issues (e.g. use after free, uninitialized variables, state engine confusion), can lead to infoleaks as well • Protocol foo-bars: Code paths normally used for UMTS / CDMA can be triggered using GSM frames Dienstag 30. Nov. 10 []

  24. An example (in ICE • TMSI reallocation: – TMSI always, always, always is 32 bits – nonetheless encoded as TLV • Infineon stack uses length in L3 packet • Results: heap overflow • Somewhat tricky to exploit in stable way • iPhone 2/3G/3GS vs. iPhone 4: di fg erent RTOS – old iPhones: Nucleus – iPhone 4: ThreadX Dienstag 30. Nov. 10 []

  25. An example (in QCOM • GSM & UMTS use challenge-response auth • Originally: fixed-length challenge in GSM – 16 bytes RAND • 3GPP specification 24.008 added variable length challenge (AUTN) • Functionality not needed in GSM! • Allows to overwrite stack (limit 251 bytes) • Result: remote code exec, pre-auth • QCOM fixed after disclosure (pushed to OEMs) Dienstag 30. Nov. 10 []

  26. Baseband Exploitation • Baseband: what operating system? • Unlock teams often have good info on this (iPhone dev team, XDA developers) • Locate bu fg ers used for GSM L3 messages • Write custom code or use existing features (e.g. AT+S0=x handler in Infineon baseband) • Debugging is hard, write own debugger Dienstag 30. Nov. 10 []

  27. The AT+S0=n feature • Hayes command to turn on auto-answer • present in some software stacks (verified for Infineon & QCOM) • Enable with *5005*AANS# on iPhones, disable with #5005*AANS# • Excellent target to demonstrate memory corruptions • Auto-answer can be made silent/ Dienstag 30. Nov. 10 []

  28. Part III: Practicality Dienstag 30. Nov. 10 []

  29. Why should we care • New base stations: expensive (cheapest: 25k USD) • Old gear however often is sold on eBay • Threat model has entirely changed: hardware has become cheap, open-source SW appeared • Open-source projects for running GSM base stations: OpenBSC & OpenBTS • OpenBTS provided service at Burning Man 2008-2010 • HAR2009 had OpenBSC test network Dienstag 30. Nov. 10 []

  30. • Siemens BS11 • used by OpenBSC • HEAVY • E1/Abis interface • cheap: EUR 250 • hard to come by now. Image credit: Björn Heller Dienstag 30. Nov. 10 []

  31. • ip.access nanoBTS • supported by OpenBSC as well • Abis over IPv4 • approx. USD 4500 • di fg erent versions for GSM900/1800, GSM850/1900 • supports GPRS Dienstag 30. Nov. 10 []

  32. Our gear: Ettus USRPv1 • price: approx USD 1250 plus good clock Image credit: Synthesis Studios • software defined radio (SDR) • versatile (di fg erent daughterboards) • OpenBTS support, GSM850/900, GSM1800/1900 • no GPRS since layer 1 is di fg erent there • clock: wrong freq (64Mhz) and imprecise Dienstag 30. Nov. 10 []

  33. Part IV: Demo Dienstag 30. Nov. 10 []

  34. Common failures (my experience) • Lacking clock precision • Misinterpreting stack traces • Triggering the wrong bug ;) • Overlooking code is placed is non-exec page Dienstag 30. Nov. 10 []

  35. Some words about clocks • Get a good one, seriously! – GSM spec requires 0.05ppm – equiv. to 50Hz in 900MHz band • Time is too precious for fixing clock issues • Using FA-SY on the road (EUR 40) – Si570 based design – not optimal: 20ppm uncalibrated – approx. 1ppm when calibrated Dienstag 30. Nov. 10 []

  36. Part V: The Baseband Apocalypse Dienstag 30. Nov. 10 []

  37. The “Baseband Apocalypse” • Place fake BTS in crowded/sensitive areas: airport lounges, financial districts, near embassies • Stealth room monitor: record audio, compress, store in RAM, piggy-back onto next data connection (mic/camera usually hang o fg BB CPU) • Shared mem CPUs: compromise APP CPU as well, place backdoor/rootkit Dienstag 30. Nov. 10 []

  38. The “Baseband Apocalypse” • Ping-pong games: compromise cellphone, then BTS/BSC, infect more phones from there • Brick phones permanently (e.g. erase SecZone on iPhone) • No easy forensics possible in BB land (JTAG disabled to prevent easy unlocks). Need exploits to perform forensics Dienstag 30. Nov. 10 []

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better controlling and optimizing the network performance Optimal Investment Efficiently building and maintaining competence over system releases

157 views • 12 slides
Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM Protocol Stack Harald Krll, Christian Benkeser, Stefan Zwicky, Benjamin Weber, Qiuting Huang Integrated Systems Laboratory, ETH Zurich d S b i h

306 views • 26 slides
FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of the baseband Proprietary baseband/modem/radio processors are an insult to personal computing freedom The problem is even worse for those

1.09k views • 19 slides
All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE

All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE

Joint Channel and Mismatch Correction for OFDM Reception with Time-interleaved ADCs All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE Dept, UCSB All Digital Baseband Digital Baseband

549 views • 31 slides
Frank Karlitschek KDE Developer openDesktop.org KDE-Look.org KDE-Apps.org Social Desktop

Frank Karlitschek KDE Developer openDesktop.org KDE-Look.org KDE-Apps.org Social Desktop

Frank Karlitschek KDE Developer openDesktop.org KDE-Look.org KDE-Apps.org Social Desktop ownCloud Dienstag, 6. Juli 2010 Unclouding OwnCloud Dienstag, 6. Juli 2010 - Why ownCloud - Current Status - The Future Dienstag, 6. Juli 2010

2.3k views • 186 slides
Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument Highlights Multipurpose Baseband Instrument IF Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University of California, Davis Electrical & Computer Engineering VLSI

425 views • 21 slides
Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 23, 2013 1 / 19 Baseband Signals S ( f ) = 0 , | f | > W | S ( f ) | f W W 2

458 views • 19 slides
Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich

Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich

Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich Ramacher COM IN Our solution : Baseband Processor MuSIC 3-Level Memory Hierarchy - external DRAM/Flash - Shared Memory - Local Memories

393 views • 11 slides
Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde <nico@comsecuris.com> @iamnion Daniel Komaromy <daniel@comsecuris.com> @kutyacica Motivation All your baseband Reverse engineering a Baseband

585 views • 55 slides
Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli 16 1 new paradigm for automatic verification given a program P , learn a set of correct programs P 1 , ... , P n check whether every behavior

696 views • 58 slides
OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org

OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de Linux

621 views • 37 slides
Hybrid Information Extraction PD Dr. Gnter Neumann DFKI GmbH Dienstag, 8. Februar 2011

Hybrid Information Extraction PD Dr. Gnter Neumann DFKI GmbH Dienstag, 8. Februar 2011

Hybrid Information Extraction PD Dr. Gnter Neumann DFKI GmbH Dienstag, 8. Februar 2011 Hybrid Is a system, if consists of different technologies can be combined each one depicts a solution by its own the integration

911 views • 70 slides
OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org

830 views • 37 slides
CEA-608 / CEA-708 Transmission Baseband / In-picture VBI Line 21 (CEA-608 only) VANC in

CEA-608 / CEA-708 Transmission Baseband / In-picture VBI Line 21 (CEA-608 only) VANC in

CEA-608 / CEA-708 Transmission Baseband / In-picture VBI Line 21 (CEA-608 only) VANC in SDI Video essence metadata MPEG-2 user data (ATSC A/53) H.264 / H.265 SEI (A/72) Track metadata QuickTime CEA-608/708 CC tracks

356 views • 7 slides
Modulation and demodulation (reminder) analog baseband digital signal data digital analog

Modulation and demodulation (reminder) analog baseband digital signal data digital analog

COM-405 Mobile Networks Module A (Part A2) Introduction Prof. JP Hubaux http://mobnet.epfl.ch Note: some of the slides of this and other modules and derived from Schillers book 1 Modulation and demodulation (reminder) analog baseband

1.06k views • 76 slides
1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &

737 views • 45 slides
Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis Dohmatob Limits on Robustness to Adversarial

763 views • 74 slides
transparency for legal machines Vytautas YRAS Vilnius University Vytautas.Cyras@mif.vu.lt

transparency for legal machines Vytautas YRAS Vilnius University Vytautas.Cyras@mif.vu.lt

Compliance and software transparency for legal machines Vytautas YRAS Vilnius University Vytautas.Cyras@mif.vu.lt Friedrich LACHMAYER Vienna University of Innsbruck www.legalvisualization.com Tallinn, 8-11.06. 2014 Contents 1. Legal

599 views • 31 slides
CS61A Lecture #35: Cryptography Announcements: HKN surveys next Friday: 7.5 bonus points for

CS61A Lecture #35: Cryptography Announcements: HKN surveys next Friday: 7.5 bonus points for

CS61A Lecture #35: Cryptography Announcements: HKN surveys next Friday: 7.5 bonus points for filling out their sur- vey on Friday (yes, that means you have to come to lecture). Last modified: Fri Apr 25 14:02:18 2014 CS61A: Lecture #35 1

339 views • 17 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

GSM/3G security Implementing GSM protocols Security analysis Summary OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de SSTIC

1.16k views • 34 slides
D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8: Fault Tolerance C ASE S TUDY : AWS FAILURE 2011

D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8: Fault Tolerance C ASE S TUDY : AWS FAILURE 2011

D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8: Fault Tolerance C ASE S TUDY : AWS FAILURE 2011 April 21, 2011 EBS (Elastic Block Store) in US East region unavailable for about 2 days 13% of volumes in one availability zone got stuck

766 views • 22 slides
SMA Computer Science Seminar EpiChord: Parallelizing the Chord Lookup Algorithm with Reactive

SMA Computer Science Seminar EpiChord: Parallelizing the Chord Lookup Algorithm with Reactive

SMA Computer Science Seminar EpiChord: Parallelizing the Chord Lookup Algorithm with Reactive Routing State Management Ben Leong, Barbara Liskov, and Eric D. Demaine MIT Computer Science and Artificial Intelligence Laboratory { benleong,

1.21k views • 74 slides
String Processing Slides Enigma String Processing Eric Roberts CS 106A February 3, 2010

String Processing Slides Enigma String Processing Eric Roberts CS 106A February 3, 2010

Eric Roberts Handout #33 CS 106A February 3, 2010 String Processing Slides Enigma String Processing Eric Roberts CS 106A February 3, 2010 Cryptography at Bletchley Park Stanfords Contribution to Cryptography I have twice taught

356 views • 3 slides

More recommend